Can SAP Be Affected By Ransomware?

On 14th of March, SAP released its scheduled set of SAP Security Notes for March. It includes a fix for a Remote Command Execution vulnerability in SAP GUI, identified by ERPScan’s researchers. The security issue was rated at 8.0 by CVSS Base Score v. 3.

As the name implies, in case of successful attack, an attacker can execute a command remotely, which essentially enables an unfettered control over endpoint devices where the SAP GUI application is installed. This vulnerability can be used to upload a ransomware on a hacked endpoint and stop business processes. According to the latest survey from
Crowd Research Partners
, the cost of Cyberattack on SAP can range from $1 to 50 million.

Attack at a glance

Hacker attacks the SAP NetWeaver ABAP server by exploiting one of over 3800 vulnerabilities identified in SAP. Taking into account that some vulnerabilities stay unpatched more than 6 years, it’s not a big deal. Then the attacker develops a simple SAP transaction that executes a command on SAP GUI and puts this transaction into autoload so that it will be executed automatically.

Each time a user logins to the infected SAP server using SAP GUI, the malicious transaction will be executed calling a program on an endpoint that downloads the ransomware on SAP GUI.

Next time a user tries to run an SAP GUI application, the ransomware will be executed and prevent him or her from logging on SAP Server.

Details

Can an SAP system be affected by ransomware?

Ransomware dominated cyberthreat landscape in 2016 and is still one of the biggest threat hitting both individuals and enterprises. As for the latter, cybersecurity experts notice a huge transition in the focus of such attacks. Cybercriminals are primarily targeting organizations, making ransomware a billion-dollar business.
Ransom attacks are constantly diversifying and growing in sophistication, new forms of malware appear almost every week and no system or application seems to be protected against this threat. It’s safe to say that it is going to get worse and no system is immune. ERPScan researchers identified a vulnerability in the SAP GUI client for Windows, which potentially opens the door to ransom attacks against millions of SAP users.

How exactly vulnerability is exploited?

In March, SAP released its scheduled set of SAP Security Notes. It includes a fix for a Remote Command Execution vulnerability in SAP GUI, identified by ERPScan’s researchers. The security issue was rated at 8.0 by CVSS Base Score v. 3, CVE-2017-6950.
As the name implies, in case of successful attack, an attacker can perform a command remotely, which essentially enables an unfettered control over endpoint devices where the SAP GUI application is installed.
To leverage the vulnerability, an attacker has to compromise the SAP Server. There are several security issues that allow doing so, moreover, a number of them is still in the patching process.

How can attacker conduct a ransom attack against a SAP System?

The latest MongoDB and Elasticsearch incidents demonstrated that ransomware attacks are lucrative, so hackers are looking for new ransomware mechanisms. Researchers who identified the vulnerability claim that this bug can be used to infect all endpoints within a victim company.

“The attack vector is rather trivial. By exploiting this vulnerability, an attacker can force all the SAP GUI clients within a company to automatically download a malware that locks workstations and demand money in exchange to regain control of their systems. Of note, each client has its own unique payment address, which worsens the situation.”
Vahagn Vardanyan, one of the researchers who discovered this bug

How do I protect my SAP System?

Updates and Patches are the backbone of ransomware protection. It is recommended that SAP Customers install SAP Security Note 2407616.

What is SAP GUI?

SAP GUI (graphical user interface) is a platform providing a remote access to the SAP central server in a company network. It allows an SAP user to access functionality in SAP applications such as SAP ERP, SAP Business Suite (SAP CRM, SAP SCM, SAP PLM, and others), and SAP Business Intelligence. SAP GUI is installed on every SAP user workstation, thus the number of potential victims may be millions.

FAQ

What is ransomware?

Ransomware is a type of malware that installs covertly on a victim’s device and encrypts his or her data or lock a computer or smartphone until a victim pays a ransom.
A classic ransomware scenario is a malware that encrypts data stored on an individual’s computer. A malefactor won’t give the decryption key unless a victim pays a fee (usually in Bitcoin). Of course, this is not the only attack scenario. Hackers always perfect their methods and ransom attacks are growing more sophisticated and diverse. So, ransomware has established itself as a reliable weapon of cybercrime against business entities.

How much is a standard ransom?

The fair answer is that there is no “standard”. The ransom depends on many reasons. In case of an attack on an individual, the amount of money ransomware programs ask for varies from as little as $30 to tens of thousands of dollars, while attacks against businesses operate with 4-5 digit amount of money. However, paying the ransom doesn’t guarantee the return of access.

How does ransomware infect a company?

The arsenal of ransomware attackers is growing thus introducing new infection vectors. The most prevalent one is malicious email. In this case, an attacker uses social-engineering techniques to trick an employee into opening a malicious attachment or follow a malicious link.
The second common infection vector is via exploiting vulnerabilities in software to install malware. Malvertising and brute-forcing login credentials for the server can also be used as a ransom weapon. As the notorious ransom attacks against MongoDB and Elasticsearch, even poorly configured databases can be used to demand money from a victim organization.

If a company backs up its files, is it still at risk?

It is very helpful, but it is not a 100% guarantee that you won’t be harmed. To some extent, backups can help. However, it depends on how often they are made, where the backup data is stored and who has access to this information.

How can I protect my business from ransomware?

There are several measures to prevent ransom attacks on your business:

Patching and updates are essential. Everything within your landscape must be of the latest version.

Common truth – awareness is the key to security. Educate your employees as the prevalent way to infect workstations is using social engineering.